Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #81

October 14, 2008

If you use *any* tools to help with compliance with PCI, FISMA, SOX, FDCC or other laws/regulations, check out the last story of this issue about "What Works in Compliance Tools."
Early results from the new 2008 security professional salary survey seem to be illuminating the coming changes in valuation of various cyber security jobs. The only way to get access to the information is to participate in the survey. This is not your typical salary survey. In addition to measuring and comparing salaries, we are taking a deeper look at the value of education and certification as well as geographic location, industry, and years of experience. Try to complete it today (takes 15 minutes or less) at http://survey.sans.org/survey" Alan

How can your organization utilize identity management technologies to cost-effectively manage and control user identities and demonstrate security compliance? Information provided in this IDC whitepaper can be used to guide your efforts on how to optimize and improve identity management deployments to make them more efficient. Learn more at http://www.sans.org/info/34203">http://www.sans.org/info/34203

TOP OF THE NEWS

New Anti-Piracy Law Imposes Stronger Penalties (October 13, 2008)

US President George W. Bush has signed into law the Prioritizing Resources and Organization for Intellectual Property Act (PRO-IP), which imposes more stringent penalties on people convicted of music and movie piracy. The bill creates an executive-level position, Intellectual Property Enforcement Coordinator, who will advise the White House on protecting both domestic and international IP. The law has the backing of the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) as well as of the US Chamber of Commerce. The US Justice Department opposed the creation of the IP czar, saying such a position would undermine its authority. -http://uk.reuters.com/article/technologyNews/idUKTRE49C7EI20081013-http://news.cnet.com/8301-13578_3-10064527-38.html-http://www.pcmag.com/article2/0,2817,2332432,00.asp

World Bank Servers Have Been Attacked a Half-Dozen Times in the Last Year (October 10 & 12, 2008)

Three former workers at the National Security Agency (NSA)'s wiretapping facility at Fort Gordon, Georgia between 2001 and 2007 have alleged that US spies listened to personal conversations of Americans living abroad and on occasion, shared the conversations they heard with each other. The employees say there was scant supervision and conflicting instructions regarding expectations. Senate intelligence committee Senator John D. Rockefeller IV (D-W.Va.) says his staff is gathering more information about the allegations and may hold hearings. -http://www.washingtonpost.com/wp-dyn/content/article/2008/10/09/AR2008100902953_pf.html-http://blog.wired.com/27bstroke6/2008/10/kinne.html[Editor's Note (Pescatore): This type of thing always goes in cycles. The abuses of the McCarthy and Nixon eras in the US lead to privacy laws and clear limitation of the intelligence agencies' domestic charter in the 1970s. As a 21 year old new hire at NSA in 1978, I got called on the carpet and reprimanded for tuning a lab receiver across domestic mobile phone frequencies to test a piece of gear - there was strong supervision and very clear instructions. The pressure swung too far in that direction and lead to intelligence failures that enabled events like the terrorist attacks of 2001. Now things have swung too far the other way and it is time to correct again.]

Crime syndicates with members in China and Pakistan have managed to place devices in chip-and-pin machines that steal payment card data. The devices were planted in the machines before they were sent from China to stores in England, Ireland, Denmark, Belgium and the Netherlands. The stolen information was sent over mobile phone networks to people in Pakistan who then used the cards to make fraudulent purchases and withdrawals. The simplest way of determining if a given machine has data stealing capabilities is to weigh it; the devices add several ounces to each of the machines. The attack has been going on for nine months; losses are estimated to be between US $50 million and US $100 million, but could ultimately be higher. -http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

THE REST OF THE WEEK'S NEWS

ARRESTS, CHARGES & CONVICTIONS

Gregory King has been sentenced to two years in prison and ordered to pay more than US $69,000 in restitution for launching distributed denial-of-service (DDoS) attacks against the CastleCops and KillaNet technologies websites. The attacks took place in early 2007 and caused an estimated US $70,000 in damage. King admitted to the attacks in June. He had faced a maximum sentence of 20 years in prison and a fine of half-a-million dollars, but prosecutors agreed to a reduced sentence in exchange for guilty pleas to two felony counts of transmitting code to cause damage to protected computers. -http://www.theregister.co.uk/2008/10/13/castlecops_attacker_sentenced/-http://www.centralvalleybusinesstimes.com/stories/001/?ID=10031[Editor's Note (Northcutt): Curiously, I was trying to access -http://www.castlecops.com/CLSID.html several times today and timed out each time, wonder if there is any correlation between the two events. ]

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

According to a report from the Treasury Inspector General for Tax Administration (TIGTA), three computer systems at the US Internal Revenue Service (IRS) Office of Research, Analysis and Statistics lack adequate access management controls. The IRS's security policies were found to be adequate, but enforcement needs improvement. The report found there to be insufficient guidance and compliance oversight of IRS security policies; in addition, no vulnerability scanning software had been deployed. Eleven percent of employees on the systems reviewed were permitted access without required authorization from managers; systems were not configured to disable inactive accounts. -http://www.nextgov.com/nextgov/ng_20081009_3974.php-http://www.treas.gov/tigta/auditreports/2008reports/200820176fr.pdf

SPAM, PHISHING & ONLINE SCAMS

New spam messages are spreading, purporting to contain "an experimental private version of an update for all Microsoft Windows OS users." While there is nothing new about malware spreading in the guise of security updates, the fact that these messages are arriving just as Microsoft is scheduled to release its October update makes it more likely that the attackers will have a greater level of success. The executable file attached to the message infects users' computers with malware. The spam offers several clues that it is not legitimate; the grammar is dodgy and the message claims that the update addresses versions of Windows that are no longer supported and for which patches would not therefore be issued. Microsoft never sends security updates as email attachments. -http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch[Editor's Note (Ullrich): An interesting feature of this e-mail is the use of a fake PGP signature. The signature block is actually just random data, but it is supposed to provide the e-mail with more credibility. (Skoudis): It's also interesting that the bad guys continue to have massive grammar problems in their phishing schemes. Some of their prose is almost comical. Perhaps someday we'll see organized cyber crime rings employing in-house grammarians to clean up their wording before they foist it on unsuspecting users. (Pescatore): this is another data point why "private patches" (patches that come from other than the software vendor) are a very bad idea. ]

STUDIES AND STATISTICS

A security assessment survey of 169 websites conducted by Japan's leading cyber security consulting organization, NRI Secure Technologies, Ltd., during the 2007 fiscal year found that 41 percent of the sites had critical security flaws that could allow access to sensitive information. An additional 30 percent of the sites were found to have vulnerabilities that could lead to information leaks. The majority of vulnerabilities in websites were found to be due to "incomplete measures," in which security measures have been applied to some extent, but not broadly enough to prevent access to sensitive data. -http://www.nri-secure.co.jp/news/2008/1010_report.html[Editor's Note (Skoudis): This report offers great insights into the problems we face with web security. In particular, it makes it clear that, from a defensive perspective, we aren't getting any better. And, as the bad guys ramp up their attack skills and techniques, we are in fact falling behind, relatively speaking (i.e., with a constant level of vulnerabilities and steadily increasing threat, our relative risk rises). The remaining prevalence of XSS attacks is particularly disheartening, as this vector offers attackers major opportunities for controlling victim's browsers to undermine applications. (Pescatore): This is a fairly optimistic view, probably because the survey was skewed towards financial companies and overall security in Japan tends to be higher in general. Most similar studies show more like 75% of sites have critical security flaws. One factoid they did state, which mirrors what I see a lot, is that web sites that have never had a vulnerability assessment are four times more likely to have a critical flaw than those that had assessments. Seems simple but I'm always surprised to find how many businesses do not regularly check their web sites for vulnerabilities - even if you are sure you locked the doors, rattling the door knobs to be sure is a very good idea. ]

Consumer Reports Online Security Guide

This consumer education guide to making online experiences safe includes information about auction scams, spam, viruses, spyware, phishing, ID theft and a special section regarding keeping children safe online. There are also ratings for security suites and antiphishing toolbars, an interactive phishing quiz, and videos about cell phone spam, phishing and methods CR uses to test the security suites. -http://www.consumerreports.org/cro/electronics-computers/resource-center/cyber-insecurity/cyber-insecurity-hub.htm[Editors' Note (Veltsos and Paller): Year after year, Consumer Reports is one of the best all-in-one resources for home users and end users; it provides clear and simple advice and remains vendor neutral. ]

What Works In Security Compliance Tools? (October 14, 2008)

Twenty five leading software vendors jointly developed a list of which laws, regulations, standards are driving the sales of their products. In order from most to least important, they are: (1) PCI-DSS, (2 tie) FISMA and SOX, (4 tie) HIPAA and GLBA, (6) NERC, (7 tie) ISO 17799 and FDCC (OMB06-16). The next big step is to ask readers to look at this from the user side: If you have ever bought a tool to help with compliance, please take a moment and answer three quick questions: 1. Which of the laws/regulations/standards drove the purchase of the tool? 2. Which tool did you buy (and rate it from 1 great to 3 poor in its effectiveness to help you make compliance easier. 3. In what way did the tool improve your organization's actual security (beyond compliance). Remember John Pescatore's sage guidance: First secure your systems, then worry about compliance." Send answers to apaller@sans.org with subject "compliance tools"

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescastore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Dr. Christophe Veltsos, CISSP, CISA, GCFA teaches Information Security courses at Minnesota State University, Mankato. He is the President of Prudent Security LLC and also serves as the President of the Mankato Chapter ISSA.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/